Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/MarkKragerup/weblint-eslint-security

ESLint rules for enhanced security
https://github.com/MarkKragerup/weblint-eslint-security

Last synced: 4 months ago
JSON representation

ESLint rules for enhanced security

Host: GitHub
URL: https://github.com/MarkKragerup/weblint-eslint-security
Owner: MarkKragerup
License: mit
Created: 2020-06-10T17:38:32.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-03-04T23:37:51.000Z (almost 2 years ago)
Last Synced: 2024-08-08T05:13:35.080Z (4 months ago)
Language: JavaScript
Size: 322 KB
Stars: 8
Watchers: 1
Forks: 2
Open Issues: 9
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # eslint-plugin-weblint-security

[![npm version](https://img.shields.io/npm/v/eslint-plugin-weblint-security.svg)](https://www.npmjs.com/package/eslint-plugin-weblint-security)

[![Downloads/month](https://img.shields.io/npm/dm/eslint-plugin-weblint-security.svg)](http://www.npmtrends.com/eslint-plugin-weblint-security)

Additional ESLint security rules for Javascript, React and Node.js / Express!

## 💿 Installation

Install ESLint either locally or globally. (Note that locally, per project, is strongly preferred)

```

$ npm install --save-dev eslint eslint-plugin-weblint-security

```

- Requires Node.js `>=14.4.0`

- Requires ESLint `>=7.2.0`

- Requires ES-Parser `>=2020`

## 🔧 Setup & Usage

Include Weblint security plugin in your **.eslintrc.json** configuration file ("env" required*):

```

{

    "env": {

        "browser": true,

        "es2020": true

    },

    "plugins": [

        "weblint-security"

    ].

    "extends": [

        "eslint:recommended",

        "plugin:weblint-security/recommended"

    ]

}

```

### React support

For **React** projects, include the **React specific** rules and configurations:

````

{

    "env": {

        "browser": true,

        "es2020": true

    },

    "parserOptions": {

        "sourceType": "module"

    },

    "parser": "babel-eslint",

    "plugins": [

        "weblint-security"

    ],

    "extends": [

        "eslint:recommended",

        "plugin:weblint-security/recommended",

        "plugin:weblint-security/react"

    ]

}

````

### Node.js support (including Express.js security aspects)

For **Node.js** projects, include the **Node.js specific** rules and configurations:

```

{

    "env": {

        "node": true

    },

    "parser": "babel-eslint",

    "plugins": [

        "weblint-security"

    ],

    "extends": [

        "eslint:recommended",

        "plugin:weblint-security/recommended",

        "plugin:weblint-security/nodejs"

    ]

}

```

## 📖 Rules

✒️ - the mark of fixable rules. Use `eslint --fix .` to apply all available fixes to your project.

### Recommended base rules (@/recommended)

| **Rule ID** | **Description** |    |

|:--------|:------------|:--:|

| [no-href-and-src-inline-xss](https://github.com/MarkKragerup/weblint-eslint-security/blob/master/docs/rules/no_href_and_src_inline_xss.md) | Disallows unescaped variables of uncertain 
 origin from href and src attributes, due to the 
concern that they might originate from user input. | ✒️ |

### React specific rules (@/react)

| **Rule ID** | **Description** |    |

|:--------|:------------|:--:|

| [no-href-and-src-inline-xss-react](https://github.com/MarkKragerup/weblint-eslint-security/blob/master/docs/rules/no_href_and_src_inline_xss_react.md) | Disallows unescaped variables of uncertain 
 origin from href and src JSX attributes, due to the 
concern that they might originate from user input. | ✒️ |

### Node.js specific rules (@/nodejs)

| **Rule ID** | **Description** |    |

|:--------|:------------|:--:|

| [detect-sql-injection](https://github.com/MarkKragerup/weblint-eslint-security/blob/master/docs/rules/detect-sql-injection.md) | Detect the usage of SQL queries that might be vulnerable to SQL Injections. |  |

| [detect-missing-helmet](https://github.com/MarkKragerup/weblint-eslint-security/blob/master/docs/rules/detect-missing-helmet) | Disallow use of ExpressJS applications without 
the use of Helmet.js defaults, due to the concern that the HTTP headers might be insecurely configured. | ✒️ |

## ❤️ Contributions

We welcome contributions!

Please use GitHub's Issues/PRs.

Please make sure any contributions are covered within the tests, or that new tests are supplied for the contribution.

### Testing the rules

To run the tests, use: `npm test`

Test coverage is achieved through the set of **test files**, located at: 
`/tests/test-files//`

**All test files are prefixed** with one of the following:

- `valid_` for files that should give no output. Useful for testing false positives and soundness.

- `invalid_` for files that should give some output. Useful for testing use-cases and completeness.

- `fixed_` for files that contain the output of applying `eslint --fix` to some `invalid_` file.